-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry for this not being replied to earlier. Details inline below. On 26/08/2014 2:25 p.m., James Harper wrote: > I am using the latest 3.4 build and a config that looks like: > > ident_lookup_access allow localnet ident_lookup_access deny all > ident_timeout 5 seconds > > acl password_required proxy_auth REQUIRED acl ident_required ident > REQUIRED > > http_access allow localnet ident_required ident_unrestricted_group > http_access allow localnet ident_required unrestricted_sites > http_access_deny localnet ident_required > > http_access allow localnet password_required > password_unrestricted_group http_access allow localnet > password_required unrestricted_sites > > http_access_deny > > The idea is that ident will be used, and if ident can't be used, > proxy auth (ntlm) will be used. > > The problem is that for users who ident successfully but are not in > the ident_unrestricted_group / password_unrestricted_group (both > the same windows group), they get a 407 response and a password > prompt, instead of an access denied. I can work around this by > putting: > > deny_info 403:ERR_ACCESS_DENIED ident_required > > just before the identd deny, but it seems like a hack. > > Am I doing something wrong or could this be a bug? You seem to be expecting that ident_required will return false if ident is not supplied Try this instead: acl login proxy_auth REQUIRED acl ident ident REQUIRED http_access deny !localnet http_access allow unrestricted_sites http_access deny ident !ident_unrestricted_group http_access allow ident http_access deny !login http_access allow password_unrestricted_group http_access deny all > > Also, are there any implementations of ident that are a bit more > useful? Such a thing would: . have a single TCP connection between > squid and the client (preferably client initiated), kept alive for > a reasonable time . authenticate the identd server itself (identd > is not really considered secure) . allow squid to specify all > aspects of the connection (ident expects the lookup to come from > the destination, which isn't true if you are doing transparent > proxying, although easy to patch squid to fake the source) > IDENT is a protocol. It is what it was designed to be. It is *not* a form of authentication in any way. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUUcQNAAoJELJo5wb/XPRj7CIH/0bSEnAgxKnDOCIwHvejBVOk 3/xnaExb62H5ujP+MoFRE2Kd35xaMSsGT7GjFC0a46OpU1SkO9zGzyqLeWCzrPTN Pyf3b7sBon0pc37uU0IEm76mbJ6lARI3hoRYQiUVtPiwcOduQi1DAVfv1c+u8o5D ivPoHPM1gLl3KJi2Vw0WleCafYgmm1eKJNLGVqkGX2c0DEpFs+UG4xSbiKi+82tP vv1BybV7n5DoS3qwqTRikWe5h1Ar8Uc6gGs5vgMu//lZyxUb6BrrTQhqZOIwPnbz 5/5p0X56t2qrRn82D8UE+zdi1zlYfg/ZhZy3mYvkXCyO+y3HPW8qnvIzFGo0gWw= =Y/kW -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
